DCG: A Client-side Protection Method for DNS Cache Yan Zhao, Ning Hu∗, Chi Zhang, and Xinda Cheng Guangzhou University, Guangzhou, 510006 China f2111906107, huning, 2111906100, [email protected] Abstract Domain name system provides resolution services between domain names and IP addresses for in- ternet applications and it is the backbone of the modern internet. Since the security of domain name system is critical to the internet, a large number of solutions have emerged. Unfortunately, most of these works are focused on server-side protection, but few solutions for client protection. Because the server-side solution cannot guarantee that the client uses a trusted domain name, this paper pro- poses a client-side protection method for domain name system cache. Our solution monitors the local cache of domain name system in real time and asynchronously verifies the authenticity of each name resolution result through a trusted third party. Experimental results show that our method can resist domain name poisoning attacks against clients. And our solution is fully compatible with the existing domain name system, and has good incremental deployment capabilities. Keywords: DNS Security, DNS spoofing, Cache Verification 1 Introduction Domain Name System (DNS) is an important basic service of the Internet [13]. The main function of DNS is to provide the mapping of domain name and IP address. Almost all Internet applications use DNS. Everyone relies on the services provided by DNS when they go online. DNS is so widely used, any attack on DNS will have serious consequences. Therefore, DNS security is the foundation of Internet security [14]. However, at the beginning of the design of DNS, it was assumed that it would run in a trusted network environment, and nobody considered security issues. As a result, the events of using DNS vulnerabilities to conduct network attacks are endless. This is a serious threat to the security of the Internet [2]. Since the researchers did not consider DNS security at the beginning of the design, many attacks against DNS appeared. Such as DNS spoofing [10], DNS hijacking [3], and DNS cache poisoning [15]. In order to improve the security of DNS, many methods have been proposed, such as DNSSEC [17], HTTPS-over DNS [6], TLS-over DNS [7], and DNScrypt [4]. However, these methods have some limitations, such as focusing only on the security of the DNS server and failing to protect the DNS client, incompatible with the existing DNS, and difficult to promote. DNSSEC has not been extended to the client and cannot protect the security of the DNS client. HTTPS-over DNS , TLS-over DNS , and DNScrypt modify the DNS protocol, making it difficult to promote and deploy. And these technologies encrypt DNS messages, making it difficult for the organization’s network security department to monitor malicious DNS traffic. With the development of blockchain, some researchers have proposed DNS security solutions based on blockchain [11]. But this direction is still in the research stage. Alharbi et al. [1] proposed a cache poisoning attack against DNS clients, which can bypass existing DNS defense solutions. That the neglect of DNS security of client is the reason for the success of the Journal of Internet Services and Information Security (JISIS), volume: 10, number: 2 (May 2020), pp. 103-121 DOI: 10.22667/JISIS.2020.05.31.103 ∗Corresponding author: Cyberspace Institute of Advanced Technology, Guangzhou University, 230 Wai Huan Xi Road, Guangzhou Higher Education Mega Center, Guangzhou, 510006, China, email: [email protected]. 103 Disaster Damage Information Sharing System Yan Zhao, Ning Hu, Chi Zhang, and Xinda Cheng attack. Therefore, we need a new way to deal with such attacks. An easy way is to verify the DNS cache. Every time the user accesses a domain name, the domain name and its IP address will be cached by the computer. Therefore, as long as we verify that the client-side DNS cache is correct, we can ensure that the IP address of the domain name is correct. So, the key problem is how to verify the correctness of the client’s DNS cache. If it can be verified, almost all DNS spoofing attacks can be closed. In this paper, we propose DCG, which is the abbreviation of DNS cache guardian. And DCG as a supplement to existing DNS defense strategies can protect DNS on the client-side. The core idea of this method is to verify the DNS cache. When a new record enters the cache, the client sends the record to a third-party server through a secure channel. The third-party server will verify the record and return the verification result to the client. In this way, the client has the ability to distinguish fake DNS records. Note that after receiving the DNS reply, the user will use the IP address to access the website first, and then the user will receive the DCG verification result. This is a compromise solution. The purpose is to provide users with security services as much as possible without sacrificing user experience. When a user receives a fake IP address for a domain name, the most likely possibility is that the IP address is a phishing website. The hacker wants the user to enter the account password on his phishing website and steal user’s property. But it takes time for users to enter information. If the DCG can complete the verification process in a short time, the user can be warned before the user completes the input. Our experiment shows that DCG only needs about 1s to produce results. User input information usually takes more than 1s. The idea of DCG is terminal defense. Even if the DNS security mechanism in the DNS server or LAN is bypassed by hackers, this method can still protect DNS in the last step. In addition, this method is compatible with DNS and can work normally in the environment of Content Delivery Network. The contributions of this paper are as follows: • Introduce DNS risks and existing security mechanisms, and analyze the limitations of those mech- anisms. • Propose a method to protect DNS at client-side The first part of this paper is the introduction. The main content of this paper is briefly introduced in this part. The second part is the motivation. This part will briefly introduce DNS, analyze the causes of DNS insecurity and the limitations of existing defense strategies, and finally give the goal of our method. In the third part, the DCG is described in detail. In the fourth part, we show some experiments and experimental results. Part 5 is related work, some work similar to this paper will be introduced. Part 6 will elaborate on issues that have not been discussed carefully or that have not been resolved temporarily. The last section is the conclusion. 2 Motivation 2.1 DNS Overview Domain Name System (DNS) is an important basic service of the Internet. DNS protocol is based on the UDP / TCP protocol. As a large distributed database on the Internet, the main function of DNS is to map the domain name and IP address. Each IP address can have a host domain name. The host domain name consists of one or more strings, separated by a decimal point. With the host domain name, as long as you remember the relatively intuitive and meaningful host name, users can query the domain name through DNS, and then DNS will return the information including the corresponding IP address to users. DNS will take users away from the boring and difficult to remember IP address and make it easier for 104 Disaster Damage Information Sharing System Yan Zhao, Ning Hu, Chi Zhang, and Xinda Cheng Figure 1: The process of DNS users to access the Internet. The working process of DNS is shown in Figure 1. When the client accesses a domain name (www.example.com), the client will first search the DNS cache (browser cache, system cache and hosts file). If it is not found in cache, client will send a request to the recursive resolver. Then, the recursive resolver will first look for the cache, and if there is, resolver will reply to the client. If there is not , the recursive resolver will send the request to the root server, top-level domain name server, authoritative domain name server in turn, until the example.com domain name server is found. Finally, the recursive resolver sends the result(10.0.0.1) to the client. DNS is a public service system. The services it provides are open and transparent to all users on the Internet and can be accessed and used by anyone. Therefore, its original designers did not consider its security, and all designs were designed with convenience. However, with the development of Internet, the scale of the Internet has been expanding, and the value of information on the Internet has become larger and larger, attracting many criminals to attack it. Today, a variety of DNS security vulnerabilities have seriously threatened the privacy and interests of Internet users. As the basic service of the Internet, the security of DNS is directly related to whether the Internet system can operate normally. DNS message is transmitted in plain text, without encrypting and signing, and is extremely vulner- able to spoofing attacks. For example, attackers can make most of the network applications paralyzed by sending many fake DNS responds. This is known as DNS spoofing. Currently, DNS spoofing attacks are mainly in the form of internal attacks and serial number attacks. The internal attack means that the attacker successfully invades and controls the DNS server. The domain name in the database can be mod- ified by the attacker at will, and the IP address corresponding to the domain name is converted into the IP address preset by the attacker.